Skip to main content

How role enforcement works

The Bravura Security Fabric role enforcement engine can identify users who have excessive or insufficient access during auto discovery , and issue workflow requests to correct violations. The engine only enforces roles, resources, and users that are included in the enforcement jurisdiction . It can list users who are in violation but does not take any action.

A resource, for role enforcement, is an account on a target system, a managed group, or a role. A user has a surplus violation when they have access privileges to a resource that is not part of a role assigned to them. A surplus violation can be resolved automatically by:

  • Removing the resource from the user’s profile

  • Requesting an exception to the enforcement rule

A user has a deficit violation when they do not have access privileges to a resource when they have a role that requires it. A role is considered in deficit if one or more role members are not privileged to the user. A role by itself cannot be a deficit. A deficit violation can be resolved automatically by:

  • Adding a missing resource to the user’s profile

  • Requesting an exception to the enforcement rule

You can set the default action to take for enforced users on a system-wide basis, and override the action for a role, group, or target system.

In this section: